severity_rating: high created_at: 2018-12-06 05:46:45 vendor: grab https://hackerone.com/grab bounty_amount:

Summary:
Production secret key leak in config/secrets.yml

Description:
In Github, http://engineering.grab.com/ secret_key_base is leaked which is present in the config/secrets.yml

Steps To Reproduce:

1. Go to the below GitHub URL and we can verify that secret_key_base is present. https://github.com/grab/blogs/blob/master/2017-01-29-deep-dive-into-database-timeouts-in-rails/config/secrets.yml

Mitigation:-

https://medium.com/@thejasonfile/hide-your-api-keys-hide-your-skype-api-keys-884427746f9c

Impact

Proper Impact is explained here:-
https://stackoverflow.com/questions/44220691/rails-what-are-the-consequences-of-a-leaked-secret-key-base